How to Protect Microsoft 365 from On-Premises Attacks?

Protecting Microsoft 365 from on-Premises Attacks

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that have been reported so far. One of the hottest gateways to these attacks on Microsoft 365 is through on-premises infrastructure. 

Microsoft 365 is to an organization what the nervous system is to your body. If your on-premises infrastructure is vulnerable, you need to protect this ‘nervous system’ from the lurking security threat.

Cloud Security

How do I protect Microsoft 365 from On-Prem Attacks?

You need to carefully configure your infrastructure to protect your Microsoft 365 cloud environment from on-premises compromise:

  • Configure Microsoft Entra ID tenants to prevent attacks.
  • Connect Microsoft Entra ID tenants safely to on-premises systems.
  • Carefully tweak the decision and policy tradeoffs to beef up your systems to strengthen your on-premises infrastructure so that it prevents attacks leading to M365.

Why On-premises Infrastructure Provide Avenue for Cyber Attack?

Organizations are usually super sensitive about Microsoft 365 Security. So, for critical authentications and directory object state management settings, they prefer to keep these settings on on-prem infrastructure.

A hybrid environment can facilitate them to connect M365 to their on-prem infrastructure. This combination is vital for trust delegation as they can keep any critical settings nearby.

However, if the on-premises environment is compromised, it can be a huge security lapse for your Microsoft 365 security. This will expose potential vulnerabilities in the system. The security flaws are generally about federation trust relationships and account synchronization.

We’ll talk about them in detail as we move forward.

Cloud Computing

What Are the Main Sources of On-Prem Threats for Microsoft 365?

The two primary avenues of risk are:

  • Federation trust relationships
  • Account synchronization.  

Let’s discuss both of these…

Federation Trust Relationships

They allow users to authenticate to cloud-based applications using their on-premises Active Directory credentials.

FTRs do that by establishing a trust relationship between the on-premises identity provider (IdP) and the Cloud-based service provider (SP).

They allow attackers unlimited administrative access to your cloud resources. For instance, FTRs like Security Assertions Markup Language (SAML) authentication can authenticate users in Microsoft 365 via your on-premises identity infrastructure.

If the SAML token-signing certificate is compromised, this opens the door for anyone possessing that certificate to impersonate cloud users.

As a precaution, you can disable federation trust relationships for authenticating in Microsoft 365 when feasible.

Account Synchronization

Account synchronization means copying user accounts and other objects from an on-prem identity hub to cloud. This is typically done using a directory synchronization tool, such as Azure AD Connect.

Account synchronization can be a point of concern because it can be used to manipulate privileged users and groups with administrative privileges within Microsoft 365.

To mitigate this risk, it’s recommended to ensure that synchronized objects possess no privileges beyond being a standard user in Microsoft 365.

You can manage these privileges either directly or by inclusion in trusted roles or groups. Be certain that these objects have no direct or nested assignments within trusted cloud roles or groups.

Secure Danger Sign

Built-in Security Features in Microsoft 365

Microsoft 365 comes with several built-in security features to help you protect your on-prem environment, and ultimately the M365 cloud. Some of these features include:

Microsoft Defender for Identity:

This tool, formerly known as Azure Advanced Threat Protection (Azure ATP), provides real-time risk detection and remediation for enterprise identities across both cloud and hybrid environments.

It uses machine learning (ML) and artificial intelligence (AI) to analyze user sign-ins, identity changes, etc. to identify threats.

Defender for Identity comes as part of the Microsoft 365 Defender package. It builds its working on the signals from both on-premises Active Directory and cloud identities. Ultimately, its detection capabilities let you identify and block advanced-level threats on your organization’s Microsoft 365 cloud environment.

Your Security Operations teams can take the most benefit from Defender for Identity. With this tool in their hands, they simply don’t need to build their own identity threat detection (ITDR) solution for hybrid environments.

This tool alone hands them the power to manage the following tasks:

  • Prevent security lapses and be extra vigilant as they’ll have repeated evaluations of their identity security posture.
  • Leverage real-time, highly accurate data & forecasts to detect & block security threats.
  • They have concise and to-the-point information about every incident. Building on that, they can look deeper into any given suspicious act at any time.
  • Use automatic response to threats and compromised identities. Both built-in and custom templates will help you.

For example:

Consider Lateral Movement Paths. Defender for Identity can help you detect all such lateral movement paths and how they can be exploited anytime.

These are the paths that refer to hackers using non-sensitive accounts to access sensitive accounts.

These vulnerable areas can make your crucial accounts and users compromised. Whereas, Defender for Identity helps significantly with that, especially with its Microsoft 365 security assessments.

Cloud Management

Microsoft Defender for Cloud Apps

Get deep visibility and control over the cloud apps your organization is using. Detect and block malicious apps with complete control. You can also monitor and control access to sensitive data via these apps.

Microsoft Entra Conditional Access

This service allows you to create and enforce policies that control how users access your cloud and hybrid resources. It can help you ensure that users are authenticated and then properly authorized before they access your organization’s resources. The service also makes sure your enrolled users are using secure devices and networks.

Microsoft Defender for ID

This service provides advanced security protection for your on-premises and cloud environments. It includes features like user and entity behavioral analytics (UEBA), risk-based multifactor authentication (MFA), threat intelligence, and whatnot.

How to protect your Microsoft 365 for maximum Threat detection and data protection?

Microsoft 365 cloud comes with a robust system for monitoring and security. M365 employs both machine learning and human expertise to oversee global traffic. This enables the quick identification of threats and permits you to make adjustments in near real-time.

Here are some tips to improve the security of your cloud setup:

Completely Separate Your Microsoft 365 Admin Accounts

To beef up Microsoft 365 Security and prevent it from on-premises attacks, you need to implement the following measures for admin measures:

  • Ensure that all your admin accounts are managed through Microsoft Entra ID.
  • Authenticate users with MFA.
  • Enforce security through Microsoft Entra Conditional Access.
  • Limit access to Azure-managed workstations only.

The point here is that these admin accounts are designated for restricted use. No on-premises accounts should possess administrative privileges within Microsoft 365.

More things to do:

  • For device management within Microsoft 365, utilize Microsoft Entra join and cloud-based mobile device management (MDM).
    This will reduce reliance on on-prem device management. This will also help mitigate potential risks to device and security controls.
  • Ensure that no on-premises accounts have elevated privileges in Microsoft 365. Sure, some accounts may still need to use on-prem applications that usually require NTLM or Kerberos authentication, but, in this case, they should be on your organization’s on-prem IAM radar.
    None of these accounts, including service accounts, should have privileged cloud access or roles.
  • Another important for cybersecurity is to ensure that changes to these accounts do not impact the security of your cloud environment. Privileged on-prem software should not have the capability to affect M365 privileged accounts.
  • To reduce dependencies on on-premises credentials, use Microsoft Entra cloud authentication. Always prioritize strong authentication methods like Windows Hello or Microsoft Entra multifactor authentication.

Separate Privileged Identities

In Entra ID, key users like admins are entrusted with the ultimate trust most of the time. They have the most privileged roles and they are key to building the rest of the environment.

So, you need to implement the following items to keep the chances of any potential compromises at the lowest:

  • As mentioned earlier, don’t use hybrid or on-prem accounts for privileged roles, both in Entra ID and M365. Use Cloud-only accounts.
  • The devices for privileged access should be deployed separately and only they should be managing M365 and Entra ID.
  • Use Entra’s Privileged Identity Management (PIM) for just-in-time access to all human accounts with privileged roles. Whenever you activate roles, make it a compulsion to implement robust authentication.
  • Set up administrative roles that grant the least privileges required for essential tasks.
  • Use Cloud Groups (Entra security groups or Microsoft 365 Groups ) for a comprehensive role assignment experience.
  • Activate role-based access control. Administrative units within Microsoft Entra ID can be used to limit the role’s scope within a specific part of the organization.
  • Deploy emergency access accounts and avoid storing credentials in on-premises password vaults.

Take Help from Cloud Authentication

User credentials are the most widely used attack gateway that malicious actors exploit. However, the following steps can make your users’ credentials secure enough to avoid security lapses:

Use passwordless ways for authentication:

Passwords are highly vulnerable in this age of fast processing and machine learning. There are browser extensions, python libraries, simulating tools, and whatnot all of which combined have allowed even common users to exploit traditional security methods like passwords.

So, you need to keep your dependency on passwords to a minimum. The best thing about passwordless authentication technology is all its configurations are 100% cloud-managed. Even, they are validated in the cloud and Entra has easy options for you to deploy passwordless authentication.

Microsoft Cloud offers the following authentication methods for Microsoft 365 cybersecurity:

  • Windows Hello for business
  • The Microsoft Authenticator app
  • FIDO2 security keys

Subtle Security Settings for Hybrid Accounts in Microsoft 365

Hybrid account password management requires hybrid components like password protection agents and password writeback agents.

If malicious actors somehow gain access to these components, the whole on-premises security becomes compromised. Also, it’s important to note that it’s a practice that these potential vulnerabilities are not the top-priority red flags. They are not considered a direct threat to your Microsoft 365 security, that’s why they are likely to cause problems.  

So, always be vigilant and keep in mind that your cloud service provider does not provide built-in protection for these on-prem components whereas these components are quite vulnerable in the event of an attack.

Note: Make sure this policy is activated because if it’s not activated, the default password settings of Microsoft Azure AD will make your on-prem accounts synchronized with Azure quite vulnerable. These default settings allow non-expiring passwords of on-prem accounts, making your accounts susceptible to attacks.

Create Users, Accounts, and Policies from the Cloud

Try your best to provision cloud apps using Entra instead of going with on-premises provisioning. Hackers can easily attack SaaS applications if they are able to breach your on-prem infrastructure. App provisioning in Entra ID is a separate subject and you should read about it more on Microsoft’s website.

Cross-forest trusts are not advisable, so avoid them:

They only expand the reach of on-premises security breaches and can be costly. So, always prefer to use Use Microsoft Entra Connect cloud sync to connect your system to disconnected forests.

External identities should not be vulnerable to attacks:

Avoid, if possible, using any external direct federation with other identity providers because doing this can seriously compromise your Microsoft 365 security. In fact, Microsoft’s native services. There’s a service called Microsoft Entra B2B collaboration. It helps you collaborate with external users, vendors, and partners without having to depend on on-prem accounts.

You need to put restrictions on B2B guest accounts.

They shouldn’t be allowed anything beyond accessing browsing groups and other properties in the directory. They should not be permitted to read groups they’re not members of. They should not have access to the Azure portal either. if you ever have to treat some accounts exceptionally, use a conditional access policy that includes all guest users.

Monitoring of Microsoft 365 Cloud

Scenarios to MonitorDescription
Application Consent ActivityMonitor custom roles, updates to role definitions, and newly created custom roles.
Suspicious Activity Use UEBA for anomaly detection. Microsoft Defender for Cloud Apps provides UEBA in the cloud. Integrate on-premises UEBA from Azure Advanced Threat Protection.
Microsoft Entra Tenant-Wide ConfigurationsGenerate alerts for changes in tenant-wide configurations, including custom domains, B2B allowlists/blocklists, identity providers, Conditional Access/Risk policy changes, and service principal updates.
User and Entity Behavioral Analytics (UEBA) Alerts  Monitor all Microsoft Entra risk events for suspicious activity, natively integrated with Microsoft Defender for Identity. Define network-named locations to reduce noisy detections.
Emergency Access Accounts ActivityMonitor access using emergency access accounts, including sign-ins, credential management, group memberships, application assignments, and privileged role activity.

How to Use Conditional Access Policies for Improved Microsoft 365 Security?

  • Use Microsoft Entra Conditional Access to interpret signals and use them to make authentication decisions. Find time to understand the Conditional Access deployment plan.
  • Wherever possible, block legacy authentication protocols. That said, use application-specific configurations to block these protocols at the application level.
  • Make sure you implement recommended settings for identity and access management in the light of Zero Trust identity architecture.
  • Entra Conditional Access can decode security signals. You can automate Entra to make authentication decisions on its own learning from these interpretations.
  • Use Conditional Access to block legacy authentication protocols whenever possible. That said, disable legacy authentication protocols at the application level by using an application-specific configuration.
  • Implement the recommended identity and device access configurations. See Common Zero Trust identity and device access policies.

Note: You can use Security defaults if your Entra ID version doesn’t include Conditional Access.

Wrapping it Up:

There’s no doubt that M365 has built-in security measures. However, IT admins still need to manage a plethora of risks on a daily basis.

Cloud-based security, especially for Microsoft 365, is not all about native tools. Third-party cybersecurity tools also ease a lot of burden off the shoulders of your cybersecurity admins.

Investing in Microsoft 365 professional security services is specifically important for the protection of your on-prem environment. With the help of an external expert service, you can protect your Microsoft 365 environment from on-prem security threats without impeding your day-to-day business affairs.

One great option is WME’s Professional Microsoft 365 Security Services. With our cloud expertise, you will be able to integrate our ‘secret sauce’ cloud solution that will disable all on-prem gateways that could potentially provide a way to attacks to your M365 environment.

This external help is quite useful as native tools are not powerful enough to protect you, especially against modern email-driven threats.

WME Microsoft 365 Services:

The cloud world is full of uncertainties and security vulnerabilities. In such a situation, the decision to invest in professional Microsoft 365 security services has become a strategic imperative. WME’s Microsoft 365 services empower your organization to thrive without any fear of possible cybersecurity breaches halting your business.

Here’s what you can expect from WME’s Microsoft 365 security services:

✅ Highly Custom M365 Solutions

✅ Clear Security Policies & Governance

✅ On-Premises Protection

✅ Seamless Integration of Third-party Tools

✅ Security Assessments & Remediation Exercises

✅ Advanced Threat Protection

✅ Peace of Mind

Take the next step and protect your business running on the cloud NOW.

Your security is our priority.



Contact Us

On Key

More Posts

WME Cybersecurity Briefings No. 005
Cyber Security

WME Security Briefing 15 April 2024

E-Commerce Security Alert: Unveiling Magecart’s Persistent Backdoor Overview Malicious activities by Magecart attackers have been reported. They are targeting Shopify’s content delivery network (CDN) by creating fake Shopify stores. The backdoor method has enabled them to

Read More »
WME Cybersecurity Briefings No. 004
Cyber Security

WME Security Briefing 11 April 2024

Mispadu Trojan Exploits Windows Vulnerability to Target Financial Data Overview The Mispadu banking trojan has intensified its operations as it’s exploiting an already patched Windows SmartScreen flaw. Since its initial identification in 2019, Mispadu has primarily preyed on

Read More »
WME Cybersecurity Briefings No. 003
Cyber Security

WME Security Briefing 29 March 2024

Russian hackers escalating their cyber warfare, deploying TinyTurla-NG to breach European NGOs. Cisco Talos reveals a targeted attack against organizations advocating democracy and supporting Ukraine. With their sophisticated methods, these cyber attackers are bypassing antivirus defenses

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.